Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
fabiofabio
Collaborator

Re: internal subnet of a tunnel vpn equal to my internal subnet

Jump to solution

sorry if i'm wrong, as i said before i never dealt with nat. But from what I've read, wouldn't a hide nat on their side be enough? so the subnet I want comes directly to me

0 Kudos
1 Solution

Accepted Solutions

The NAT solution is really simple. You pick a NAT block for them to use, and they pick a NAT block for you to use. Each side applies the NATs for their own addresses using the NAT block provided by the peer. That way, you always talk with a block of addresses you know don't overlap with anything in our environment, they always talk with addresses which they know don't overlap with anything in their environment. Within the tunnel, it will be the addresses they selected for you and the addresses you selected for them, with no real addresses at all. Works for VPNs or WAN links, and keeps everything unambiguous.

View solution in original post

(1)
8 Replies

Always the best solution is to change one of the overlapping networks ! Using NAT is surely possible for a single VPN tunnel, but as soon as more tunnels and more overlapping networks add up, configuration gets harder and harder !

CCSE CCTE CCSM SMB Specialist
fabiofabio
Collaborator

Certainly! in fact I have more vpn tunnels and this is the first time that I happen to have to use the nat to work around the problem. So do you recommend using hide nat or static nat? and in what way?

0 Kudos

I recommend to change the overlapping internal network. The alternative is a lot of headache:

sk170812: Route Based VPN solution for Overlapping Encryption Domains

CCSE CCTE CCSM SMB Specialist
0 Kudos
fabiofabio
Collaborator

in this case, it is a very large subnet, I cannot change it. I will try to convince the supplier to change it, but if it is not even possible on his part, how is it possible to solve with the nat?

0 Kudos

The alternative is some headache😉:

sk170812: Route Based VPN solution for Overlapping Encryption Domains

CCSE CCTE CCSM SMB Specialist

The NAT solution is really simple. You pick a NAT block for them to use, and they pick a NAT block for you to use. Each side applies the NATs for their own addresses using the NAT block provided by the peer. That way, you always talk with a block of addresses you know don't overlap with anything in our environment, they always talk with addresses which they know don't overlap with anything in their environment. Within the tunnel, it will be the addresses they selected for you and the addresses you selected for them, with no real addresses at all. Works for VPNs or WAN links, and keeps everything unambiguous.

(1)

This works good for two peers in one community, but tends to go more complicated for every peer added.

CCSE CCTE CCSM SMB Specialist

At least it's a constant complexity overhead per connection to another company. I have about 250 such connections right now, and it's not too bad.